[00:02.050 --> 00:09.270]  All right, so now what you're seeing on the screen is the setup steps for the
[00:09.270 --> 00:15.990]  Ferothy ransomware. In the first screen what you are seeing is, it's the folder with the name
[00:15.990 --> 00:23.350]  tools. That's where we have got most important files. So when I look at it, I've got two files
[00:23.350 --> 00:29.950]  in there for this proof of concept. One of the name is most important file and the second one
[00:29.950 --> 00:39.830]  being the sensitive passwords. So let's open one of the text files. Looking at the text file,
[00:39.830 --> 00:46.670]  it seems that there is some text in there for the demo purposes, but it's in plain text right now.
[00:46.770 --> 00:53.230]  So let's close this file and let's look at the second file, which is sensitive password files,
[00:53.910 --> 00:59.970]  which contains some dummy passwords in there in plain text. Okay, so I'm going to close these
[00:59.970 --> 01:08.130]  files now. So now you know that these are the important files on the machine, which we are
[01:08.130 --> 01:17.350]  going to encrypt through Ferothy. Okay, what I've got on the right is the C drive of the
[01:18.070 --> 01:23.650]  machine in which we are going to infect it with ransomware.
[01:24.150 --> 01:31.470]  And what I'm going to show here is this is the folder structure. And remember that right now
[01:31.470 --> 01:39.250]  we have configured our ransomware to encrypt files in the tools folder. However, this can be
[01:39.250 --> 01:47.810]  customized to encrypt the full folder of the complete C drive or the whole document folder
[01:47.810 --> 01:57.450]  or pictures or whatever you like. Okay, so let's keep it open and see how things are changing when
[01:57.450 --> 02:02.870]  you run the ransomware on the infected machine. The third folder I have opened here is the
[02:02.870 --> 02:11.250]  folder that is where all the certificates and the symmetric keys are going to get
[02:11.250 --> 02:20.450]  dropped and then it's going to get exfiltrated out to the attacker. In the fourth window, I have got
[02:21.410 --> 02:29.430]  browser open. In the first tab, I've got the Google Drive. Right now, if you look at this
[02:29.430 --> 02:36.030]  Google Drive, there is only one folder and a file. However, there is no other thing available
[02:36.030 --> 02:46.490]  here. So, for the exfiltration purposes, when you have big files, it's going to get exfiltrated to
[02:46.490 --> 02:55.590]  Google Drive. So, I tried it with this test MP4 file, which is 126 MB and it works perfect.
[02:56.150 --> 03:04.690]  So, what is going to happen is these files over here is going to get copied into
[03:05.270 --> 03:13.390]  the Google Drive when you run the ransomware. And remember that we have distributed
[03:13.390 --> 03:22.590]  our attacks infrastructure in a way that we are not relying on one
[03:22.590 --> 03:31.000]  service. So, the symmetric keys are going to come to poke mail.
[03:32.130 --> 03:37.490]  And how do you set up poke mail? I'm going to show you in a moment. But before that,
[03:37.490 --> 03:48.360]  let's look at what sort of USC controls we have on the infected machine. So, let's look at the
[03:49.320 --> 03:57.740]  USC settings. It seems that the highest level of USC is always notified.
[03:58.980 --> 04:04.200]  Whenever the app tries to install a software or make any changes to the computer,
[04:04.560 --> 04:11.100]  this is going to notify the user. So, this is currently set on always notified.
[04:11.660 --> 04:20.040]  Let's minimize this and look at the current certificate store, which is the local store
[04:20.040 --> 04:30.420]  on the box. So, the current store has got only one certificate in here.
[04:30.420 --> 04:38.620]  However, when the ransomware is going to get deployed, you will see one of the other
[04:38.620 --> 04:43.320]  certificates is going to get installed and then it's going to get removed afterwards.
[04:43.780 --> 04:52.820]  Once you exfiltrate and encrypt these files inside the tools folder. Let's minimize this now.
[04:53.340 --> 05:00.300]  So, let's set up our ransomware with the email address where you wanted to exfiltrate the
[05:00.300 --> 05:07.760]  keys for the certificate. Right now, I've chosen the Statue of Liberty as a location.
[05:07.760 --> 05:17.760]  So, I'm going to click on this and then get the geographic coordinates and I'm going to
[05:18.280 --> 05:25.920]  paste it in here. So, this geographic coordinates is for the Statue of Liberty.
[05:25.980 --> 05:33.480]  I'm going to set this as my location. So, once I set this as a location, you'll see that it has
[05:33.480 --> 05:41.900]  created a unique location for me and then it has generated a random looking email account for me.
[05:42.280 --> 05:54.740]  And then it has got one email in it as of now. So, you have to copy this email and then put it
[05:54.740 --> 06:02.740]  inside your ransomware file and have to make changes in the email address parameter. So,
[06:02.740 --> 06:13.340]  I'm going to do that now. So, I've modified the email address for one in here and the other
[06:13.340 --> 06:19.160]  place where you want to make changes is email one parameter over here. So, after you make those
[06:19.160 --> 06:27.920]  changes, save the file. So, I'm going to save this file and I'm going to minimize this for now.
[06:27.920 --> 06:34.100]  And I have got... I've opened a PowerShell file and I'm going to run the ransomware.
[06:35.100 --> 06:40.960]  To run the ransomware, all you need to do is just run one single PowerShell file.
[06:41.280 --> 06:47.740]  Once this is going to run, you will start seeing files going to get dropped inside the temporary
[06:47.740 --> 06:59.620]  folder. And then in Gmail Drive, you are going to see a zip encrypted file containing the
[07:01.200 --> 07:10.960]  exfiltrated data. So, I'm going to hit enter. So, it is going to create a B64 encoded certificate.
[07:10.960 --> 07:16.240]  This is going to be the public key. And then it's identifying...
[07:17.860 --> 07:29.220]  So, then it's going to install the 7-zip module onto the machine. However, let's see if this has
[07:29.220 --> 07:36.100]  already installed the certificate on the machine. Not as of now, but let's give it some time and
[07:36.100 --> 07:43.360]  then you'll see another certificate being installed in here on the machine. So, once that
[07:43.360 --> 07:52.140]  is done, it's going to start encrypting the files. So, right now it is zipping the files. So, if you
[07:52.140 --> 07:59.080]  look at this, it has already created the certificate. It is creating files and now the files
[07:59.080 --> 08:06.120]  are already zipped and email has been sent to an attacker on the Pokemail. So, if we go here and
[08:06.120 --> 08:16.440]  refresh it, you know, it has created the still.zip file. It is running some enumeration on the files
[08:16.440 --> 08:25.780]  on what all files the ransomware needs to encrypt. And then it's going to start uploading the files
[08:25.780 --> 08:32.560]  to the Google Drive. So, once it's going to upload the large files, it's going to delete it from the
[08:32.560 --> 08:41.060]  temporary folder. And then you'll see that it is going to start encrypting the files. If you look
[08:41.060 --> 08:47.940]  at here, you will see that the files have already been encrypted and we have successfully deployed
[08:48.800 --> 08:56.040]  ransomware onto the machine. So, once this is done, you know, it gives you a notification
[08:56.040 --> 09:06.340]  on the infected machine that, you know, they have been ransomed and the files are encrypted.
[09:06.600 --> 09:14.060]  So, you know, as of now I have put 30 seconds for the proof of concept, but then you can set this
[09:14.060 --> 09:23.520]  timer for, you know, however long you want, right? And so once this is going to be done,
[09:23.520 --> 09:31.980]  it's going to close the UI and then it's going to change the desktop of the infected machine.
[09:31.980 --> 09:43.380]  Right now, if you see, if you have a quick look at the folder where we had sensitive files,
[09:43.380 --> 09:49.260]  the files have been changed with .firoti extension. The file type is again changed
[09:49.260 --> 09:59.650]  with .firoti. And then once you see here, the background gets changed as well with
[10:02.440 --> 10:10.620]  the .firoti background. Okay, so that's been done as well. And if you look at it here, right,
[10:10.620 --> 10:16.400]  you have received emails containing the private key for the certificates.
[10:16.400 --> 10:26.580]  All the certificates is already deleted from the infected machine. And then if you try to open the
[10:27.060 --> 10:37.520]  tools folder again and try to access the files, you'll see that, you know, it's no longer accessible.
[10:37.520 --> 10:43.760]  If you open it, you know, there is just chunk characters in it and it's been encrypted
[10:44.720 --> 10:56.120]  with .firoti. So that's what the ransomware does. And so the next step is to actually go ahead and
[10:56.120 --> 11:04.400]  download the encryption keys. So I'm going to download the backup 1.zip file.
[11:05.180 --> 11:15.460]  And if I go back to inbox, I'm going to download the other file as well. So I'm going to copy this.
[11:15.480 --> 11:30.240]  I'm going to backup this as well. You know, so once downloaded, you can go to your
[11:31.060 --> 11:38.160]  Google Drive and you'll see that still .zip file is already in there. And if you try to open this,
[11:38.160 --> 11:44.040]  you'll see that you've got the same two files in there. The most important file .txt and the
[11:44.040 --> 11:54.740]  sensitive passwords .txt. These files were actually on the infected host in .txt format,
[11:54.740 --> 12:01.280]  which is now converted to .firoti. Okay. So if you try to open this, you won't be able to open
[12:01.280 --> 12:07.960]  this. The reason is, but however, let's download this. So it is scanning for wireless. And now
[12:07.960 --> 12:14.580]  once it's going to download, let's go to the download folder. Oh, it's not done already yet.
[12:14.580 --> 12:23.240]  So let's go to the download folder and see if we can open this. So if we can try to open this,
[12:23.240 --> 12:33.600]  it requires the password. And this password for these files are actually inside the poke mail,
[12:33.600 --> 12:42.580]  right? So and in the backup.zip file. So if you try to open the backup.zip file and look at the
[12:42.580 --> 12:48.920]  sys.txt file, that's the private key for the zip encrypted file, which is on the Google Drive.
[12:48.920 --> 12:57.780]  So, but however, it requires the password. This password is encrypted using this initialization
[12:57.780 --> 13:05.700]  vector over here, which is using the symmetric key, right? So this is the symmetric key
[13:06.800 --> 13:14.940]  for the very first file, which is sys.txt, right? So this initialization vector as an attacker,
[13:14.940 --> 13:21.380]  you are the only one who holds this. And since this is running inside the memory,
[13:22.200 --> 13:28.840]  and as you rotate your infrastructure, no one else would be able to gain access to this.
[13:28.900 --> 13:35.740]  So let's verify and put this as a password in there. And sure enough, this is the
[13:37.360 --> 13:45.540]  the password for the stolen file, right? So this is the password for the, sorry,
[13:45.540 --> 13:51.420]  certificates using which the files have been encrypted. So when you want to send this
[13:51.420 --> 13:59.380]  decryption key, this is what you're going to send it to the user. Okay, so that's how the attack
[13:59.380 --> 14:11.640]  works. And if you look at it, there is going to be a firoti.txt file on the desktop,
[14:12.340 --> 14:17.780]  such as this. And if you try to open it, it's going to give you the same note, which you saw
[14:17.780 --> 14:24.280]  it in your pop-up window, right? That your files have been encrypted, they're asking for 0.10
[14:24.280 --> 14:31.700]  Bitcoin. If you don't pay it, they are going to, you know, release your files,
[14:31.700 --> 14:41.100]  sensitive files to the internet. So the same can be done with the phishing emails, right?
[14:41.100 --> 14:51.900]  So if we go to, let's go to Gmail and see how this attack can be done via phishing emails.
[14:51.900 --> 14:58.520]  So one thing I'm going to show you here is how do you bypass antivirus? Because that's not the
[14:58.520 --> 15:04.460]  scope of the project. We are purely looking at the ransomware and how you can create a proof
[15:04.460 --> 15:15.500]  of concept and make your incident response team work for it to see their behavior and identify
[15:15.500 --> 15:21.160]  the gaps, right? So supposing you receive emails like this with a subject line,
[15:21.160 --> 15:28.000]  important promotion list for 2020, right? And supposing you receive this from your
[15:32.120 --> 15:39.380]  colleague whose email is compromised using various other means. And since you trust that
[15:39.900 --> 15:47.680]  your colleague and internal email addresses, you think this is an important file to work with,
[15:47.680 --> 15:56.360]  okay? So once downloaded, the files look like this, okay? And this looks very legit.
[15:56.360 --> 16:06.440]  An attacker can generate this kind of data and use someone to, you know,
[16:07.160 --> 16:12.520]  download files and run it, okay? So once you have downloaded this,
[16:12.520 --> 16:16.650]  there is a note here saying that click on the chart to display the insights.
[16:17.040 --> 16:24.440]  Suddenly you'll see that, you know, the data is good. However, the issue is the chart is not
[16:24.440 --> 16:32.880]  getting loaded properly. So let's look at the macros and what an attacker has done in here.
[16:33.860 --> 16:41.340]  So the macro looks like this, okay? So it's going to download the test.patch file from the GitHub
[16:41.820 --> 16:47.340]  and then it's going to run the demo.patch file. It's going to save it in the temporary folder
[16:47.340 --> 16:58.700]  and then it's going to run it, okay? So let's see what's in the GitHub and how it's going to pull
[16:58.700 --> 17:04.440]  this stuff. So right now I'm in the test.patch file. This is what it is getting pulled.
[17:04.740 --> 17:11.540]  So once things are getting pulled, it's going to run a ransomware which can be downloaded
[17:11.540 --> 17:15.980]  on the machine itself, right? Like the way we are downloading this patch file.
[17:16.360 --> 17:27.160]  So let's try to run this and see if it is actually working. So since it says that, you know,
[17:27.160 --> 17:32.900]  click on the chart to display the insight. And what I've done is on click event for this chart
[17:32.900 --> 17:40.320]  is going to call the macro and it's going to run it. So let's see if this is working. So once
[17:41.120 --> 17:54.840]  I click on this, right, it has open.cmd and it's going to pull the file from the internet
[17:54.840 --> 18:03.940]  into the temporary directory of this machine. So let's go to tmp directory and the demo file
[18:03.940 --> 18:11.360]  has already been downloaded, okay? So if you look at the timing, it's 11.16 and just now the file
[18:11.360 --> 18:18.940]  has been downloaded. It is creating the sys.txt file. The ransomware is running in the background.
[18:18.940 --> 18:28.700]  You can confirm this by the way this CMD has opened. But if you don't want the CMD file to pop
[18:28.700 --> 18:37.980]  up, you can hide that as well. See, it is creating different files. It has created backup.zip file
[18:37.980 --> 18:45.960]  and it's going to perform the same attack again. And what it's going to do this time,
[18:45.960 --> 18:53.840]  it's going to repeat exactly the same steps on the machine but without even a user realizing
[18:53.840 --> 18:59.480]  that something is happening on the account, right? So if you see that still.zip file has already
[18:59.480 --> 19:07.860]  been created. A zip file has been created. Let's see if there is actually the certificate
[19:08.580 --> 19:14.900]  created on the machine. Yes, cert.csscer has been created just now.
[19:15.040 --> 19:23.060]  But you can verify the same stuff by actually downloading, by looking at the personal
[19:23.060 --> 19:29.980]  certificate store. So this store, it is going to create a self-signed certificate on the user
[19:29.980 --> 19:38.060]  machine even though we have a USC of always notify, right? So if you double-click on the
[19:38.060 --> 19:45.100]  certificate, you know that we have got a private key which is getting sent to an attacker via
[19:45.100 --> 19:57.680]  poke mail, okay? So once the attack is going to be successful, it's going to delete this
[19:58.480 --> 20:05.880]  self-signed certificate and the private key from the machine and then the user won't have a chance
[20:05.880 --> 20:14.820]  to encrypt their files, okay? So that's how the attack vector works even with the phishing.
[20:15.800 --> 20:25.900]  And let's go to our... oh, so the attack has already been finished. It is refreshing the
[20:25.900 --> 20:34.700]  window and that's why the windows got closed. And then when you... you can confirm this by
[20:34.700 --> 20:43.640]  going into the same tools folder and see if the files are encrypted already. So the files are
[20:43.640 --> 20:53.000]  encrypted and then the certificate is going to get deleted. So if you keep refreshing it,
[20:53.000 --> 20:59.900]  if you refresh it, the certificate is already deleted and that's how the attack works through
[20:59.900 --> 21:05.180]  phishing. And that's how the ransomware gets sprayed from one machine to the other.
[21:05.340 --> 21:12.880]  I hope you like this demo and you have learned something new out of it.
[21:15.200 --> 21:21.700]  So let's jump back to the presentation and see some mitigation strategies now.
[21:21.700 --> 21:22.520]  Now...
